Disturbing Trend

[Ross]

People I'm seeing a disturbing trend taking place with some of your browsers. Some of you are infected with Fun Web Products Spyware and either know and don't care or have no idea that it's on your computer. Please check your header information by copying and pasting this into your address bar and press enter:

javascript:alert(navigator.userAgent)

If your infected, your header info will look like this:

cmu-xx-xx-xxx-xxx.mivlmd.cablespeed.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media

If not infected, it will look like this:

cpe-xx-xx-xxx-xxx.neo.res.rr.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET

Further reading---> http://www.networkworld.com/newsletters/web/2003/1208web2.html

How to remove the offending software---> http://www.securecirt.net/pdfs/FunWebProducts.pdf

 

[Mary]

Ross,
I'm not getting anything coming up on mine.
What gives?

 

[Mary]

Ross,
I'm not getting anything coming up on mine.
What gives?

Oh, and speaking of disturbing trends, you've apparently grown horns and excess facial hair since I last viewed your avatar.
You trying to give mountain goats a run for their money?

 

[Ross]

Mary here is yours:

xx-xxx-xxx-xx.dhcp.cpgr.mo.charter.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center

 

[Mary]

Mary here is yours:

xx-xxx-xxx-xx.dhcp.cpgr.mo.charter.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center

So is that good?

 

[Blanche]

Ross:
I guess I don't know my header from a hole in the ground...In any event, I can't get this to do anything. Help
Blanche


javascript:alert(navigator.userAgent)

 

[RCB]

mine is okay

mine is okay

thanks for watch over us!

 

[Ross]

Ross:
I guess I don't know my header from a hole in the ground...In any event, I can't get this to do anything. Help
Blanche


javascript:alert(navigator.userAgent)

Blanche when you copy, paste and hit enter the line above, you should get a pop up window like this in the picture. See my address bar also.

 

[Ross]

So is that good?

It doesn't say anything about funweb products, so your safe, at least until talking to me.

Here is a shot from one of our infected viewers right now:

xxx-xxx-xxx-xx.tampabay.res.rr.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322)

 

[Dennis S]

I get the following:

I get the following:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3

I assume this is OK?

 

[Ross]

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3

I assume this is OK?

Yeap your fine, see the user agent I just posted as you posted.

 

[Lynlw]

thanks and thanks for the step by step pic for blanche since i'm lower than her on the comp knowledge stuff
I can't even figure out how to copy what mine said, but it matched to your "good" one

 

[lynn]

It says I have a gecko....is that a good thing?

 

[Bina]

I'm good....no FunWebProducts

 

[maka]

Hi
Mine says...Mozilla/4.0(compatible MSIE 6.0 AOL 9,0 Windows NT 5.1 SVI NETCLR 1.1 4322)
So it seems to me to be right.....right??? although I have no idea what all this means

 

[Creed3]

Thanks

Thanks

for the information Ross. I just checked mine and it came back ok. Thanks for watching out for all of us.

Take Care!
Gail

 

[Lisa in Katy]

Mine doesn't say anything about funweb, but it does say something about a Zango toolbar at the end. I don't know what that is, but otherwise, it looks okay.

 

[Ross]

Mine doesn't say anything about funweb, but it does say something about a Zango toolbar at the end. I don't know what that is, but otherwise, it looks okay.

Category
Search Hijacker : Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.



Reasons For Retention
The Zango Toolbar (hereafter, 'the Toolbar') fails the eTrust? PestPatrol® Spyware Scorecard v2.05.03. Research was conducted on December 28th, 2005. The Toolbar was downloaded from dollidol.com.
The Toolbar meets the following Scorecard criteria:

First, installs itself or any other item without user permission or knowledge at time of installation. The installation process lacks clarity of intention from the outset. When downloaded from dollidol.com a button titled ?Personalized Avatar of the Day' with ?Powered by Zango? below the avatar, was clicked. By doing this, another window opens with ?Doll idol.com? at top and the primary button titled ?CREATE NEW AVATAR.? The emphasis is placed on creating avatars. Clicking this button leads to the File Download box for ZangoInstaller.exe. After the installer is downloaded there are only two more steps, both of which come late in the installation process and after the key executable is on the system.

Second, displays popup/popunder ads. Ads are shown when the host product is not being used or even installed, though it is designed to ?support? other products.

Third, updates itself or any other. Zango installs a DAT file with many keywords that correspond to a popup ad. When a user types words in the browser, for example, Zango compares these words against those in the DAT file and if there is a match a popup ad will be displayed. These DAT files are updated periodically for more current ones or if the one on disk gets corrupted. Zango does this update at boot without user permission or awareness. Furthermore, Zango does not offer any configuration options related to updates.

Update
On 08/28/2006, the Zango Toolbar was observed hijacking address bar searches. If a user types something in the address bar, "travel" for example, the search is redirected to tvf.zango.com without informing the user that this is occurring.

 

[Ross]

It says I have a gecko....is that a good thing?

It means your using FireFox.

 

[Ross]

Hi
Mine says...Mozilla/4.0(compatible MSIE 6.0 AOL 9,0 Windows NT 5.1 SVI NETCLR 1.1 4322)
So it seems to me to be right.....right??? although I have no idea what all this means

Yeap, your fine. When your computer contacts a server, the server needs to know what your using to view the page with, so it looks at the user agent, which is what your seeing here.